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Motor Vehicle Control Device 



Specification 

This invention relates to a motor vehicle control device which is protected against 
manipulation as claimed in the preamble of claim 1 . 

In motor vehicles, control devices, such as for example the engine control device or the 
transmission control device, are currently used to control mdividual motor vehicle components. 
The information which is required for operating these control devices, such as programs and 
data, are stored encrypted or xmencrypted in memory modules (E^PROM, flash and the like). The 
encryption process is independent of a fixed hardware combination of modules and is generally 
stored in a rewritable storage medium. 

The disadvantage of these control devices and the programs used is that individual 
memory modules can be replaced or the data on the memory modules can be overwritten via a 
diagnosis interface or via direct access to the memory module. The replacement of a memory 
module or overwriting of the data and programs stored on this memory module can lead to the 
motOT Vehicle components operating with other characteristics: This is*done for example in"so- 
called chip tuning in which the memory modules which are assigned to the engine control device 
are replaced or the programs and data stored on these memory modules, such as characteristics, 
are changed. As a result, the output and/or the torque of the engine can be increased for example. 
If this manipulation is done without adapting the other motor vehicle components, such as the oil 
cooler, turbocharger, or brakes, damage to these motor vehicle components and safety-critical 
states can occur. 
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The object of this invention is therefore to devise a motor vehicle control device in which 
replacement of a memory module and changing of the data and of the code on the memory 
module are not possible without affecting the operability of the control device or at least 
diagnosing the change and optionally displaying it. 

The invention is based on the finding that this object can be attained by using an 
identifier of the original memory modules of a control device, which identifier cannot be 
changed, as a means of identification. 

The object of the invention is attained in that in a motor vehicle control device the 
microcomputer reads out at least one specific identifier of the original memory module fi-om the 
memory module and stores it. 

By safeguarding the specific identifier of the original memory module, a constant is 
provided which can be used to recognize replacement of a memory module or manipulation of 
data. The identifier can also represent the identification number of the memory module. But it is 
also possible to use as the identifier the data which were recorded at a certain time in the form of 
a fingerprint. Finally the identifier can contain additional information such as for example the 
date of manufacture or the date of first start-up of the control device. 

By preference at least one identifier is stored in the OTP (one-time-programmable) area 
of the microcomputer, which area is writable only once. In this way modification of the identifier 
in the microcomputer can be prevented and thus protection against manipulation can be 
enhanced. 

The identifiers stored in the microcomputer are used in the process as claimed in the 
invention at least in part to authenticate the memory modules. Each time the control device is 
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booted up the memory modules which are actually comiected to the microcomputer can be 
authenticated using the original identifiers which are stored in the microcomputer. 

In one embodiment, authentication of the memory modules may take place by 
comparison of the identifier of the original memory modules which has been stored in the 
microcomputer with the identifier of the current memory modules. Here, when the control device 
is started up, the current identifiers of the current memory modules which are connected to the 
microcomputer are read out by the microcomputer and compared to the original identifiers which 
are stored in the microcomputer. As a result replacement of one or more of the memory modules 
can be detected and measures can be taken, for example actuation of the control device can be 
prevented by the microcomputer. 

As an altemative or in addition, authentication of the memory modules may take place by 
encryption of data or programs, the key containing at least one part of one of the original 
identifiers. This can result in that when the identifier differs fi-om the original identifier the 
microcomputer cannot access data or programs and thus the control device cannot run. 

The data or programs stored unencrypted or encrypted on at least one of the memory 
modules can be displayed in the form of a fingerprint which records the data and programs at a 
specific time. If the data or programs are changed, manipulation can be detected when the 
^fingerprint is identified again by comparison with a fingerprint which has been stored encrypted. 

According to a second aspect of the invention, the object is attained by a control device 
for a motor vehicle component which comprises at least one microcomputer (|iC) and at least one 
memory module, at least one memory module having at least one specific identifier and the 
microcomputer having at least one area in which at least one specific original identifier is stored. 
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In order to prevent manipulation by changing the identifier storedln the mTcrocomputer, 
the microcomputer can have a area which is writable only once (OTP area) and the specific' 
original identifier of at least one memory module can be stored in this area. This OTP area can in 
addition be configured to be read-protected. 

The control device can in addition have an authentication unit for authentication of the 
memory modules which are connected to the microcomputer, and this unit can constitute a 
program which is stored on the microcomputer. 

The authentication unit can therefore be formed by a program which is stored on the 
- microcomputer -and -which is used for comparison of the original identifiers with at least one 
current identifier of at least one memory module. As an altemative or in addition, the program 
for encryption of data or programs can access at least one of the original identifiers stored in the 
microcomputer. 

At least one of the memory modules of the control device can be integrated in the 
microcomputer. It can be an embedded flash memory or an E^PROM emulation in the embedded 
flash memory. In this case as well, storage of an identifier of the memory module in the OTP 
area of the microcomputer can be used to advantage. Analogously to the external memories, 
authentication of the memory modules by encryption of data or programs may take place, the key 
containing at least^one part of one of the original identifiers. This can result in that when the 
identifier "differs from the original identifier, the microcomputer cannot access data" or programs 
and thus the control device cannot run. 

Features and details which are described in conjunction with the process as claimed m the 
invention apply accordingly to the control device as claimed in the invention and vice versa. 
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The invention will be described in greater detail below with the aid of possible 
embodiments illustrated in the attached drawings in which: 

shows a schematic block diagram of a first embodiment of the control device as 
claimed in the invention; 



shows a flow chart which represents one embodiment of the process as claimed in 
the invention; 

shows a schematic block diagram of a second embodiment of the control device 
as claimed in the invention; and 

shows a schematic block diagram of a third embodiment of the control device as 
claimed in the invention. 

FIG. 1 shows one embodiment of the control device as claimed in the invention. The 
cdnfipratibii of control devices, siicK as for example engine coiittordevices, has been known for 
a long time from the prior art, so that this is detailed only to the extent necessary for an 
understanding of the invention. The control device 1 in this embodiment comprises a 
microcomputer ^C, a flash memory 2 and an EEPROM (E^PROM) 3. The flash memory 2 and 
the EEPROM 3 each have an OTP area 21, 31. The latter are preferably configured not to be 
read-protected. There is also an OTP area 11. in the ^iC. Furthermore, an authentication unit 12 is 
contained in the ^iC. It may constitute an electronic circuit or a program in the ^C. 

The memory modules flash 2, EEPROM 3, in this embodiment are provided with 
identification numbers ID which are specific to the module. They are generally written at the 
-manufacturer of tfie module and are stored in the OTP area 21, 31 of the individual modules. 
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FIG. 2 shows a flow chart which represents one embodiment of the process as clauned in 
the invention using the embodiment of the control device shown in FIG. 1. 

In the process of manufacturing the control device as claimed in the invention, when the 
control device is started up for the first time the IDs of the individual memory modules 2, 3 are 
read out by the microcomputer ^iC and stored in the OTP area 11 of the ^C, which area is 
writable only once. Starting from this time, operation of the control device 1 is only possible in 
conjunction with the IDs of the external memory modules 2, 3, which IDs are known to the ^iC. 

With each additional start-up of the control device 1, the (iC again reads out the ID of all 
. qLA? mempry^modules 2, 3 coinnected to it. In a comparispn unit Aese current IDs may then be 
compared to the original identifiers which are stored in the OTP area 11 of the ^C. If it is 
established in this comparison that one of the IDs does not agree with one of the original IDs, the 
control device is prevented from operating or at least the change is diagnosed and optionally 
displayed. 

FIG. 3 shows another embodiment of the control device 1 as claimed in the invention. 
The configuration is essentially identical to the configuration of the embodiment of FIG. 1, 
however, in this embodiment the code for operating the control device is divided into a master 
code (MC) and a sub-code (SC). The master code MC contains elementary, essential 
functionalities for operating the control device, for example the program for generating signals 
for the coimected^ctiiators (not shown) of the control device or the pro^ani for computing the 
actuating variables and outputs. The master code MC can furthermore comprise data. In the sub- 
code SC additional programs and data are contained. The confrol device can only operate using 
both codes, MC and SC. In the illusfrated embodiment the sub-code SC is contained in a 
rewritable area of the flash memory 2. The master code MC is contained in the OTP area 1 1 of 
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the microcomputer |xC. The master code is preferably protected against read-out by way of 
contact-making. This can be achieved for example either physically by failure of a transistor 
channel or by circuit engineering. The sub-code SC in contrast to the master code MC can be 
modified or overwritten. This allows updating of the sub-code or reprogrammmg. 

Furthermore, the |xC has an identification number jiC-ID. It is also stored in the read- 
protected OTP area of the |xC. In the E^PROM other data for operating the control device are 
stored in a rewritable area. These data may for example constitute adaptation values and idle rpm 
for an engine control device. 

When the control device is initialized, the microcomputer learns the identification 
numbers which have been stored in the OTP area 21, 31 of the memory modules 2, 3 and which 
thus cannot be changed, and stores them in the OTP area of the microcomputer ^iC which can 
also optionally be configured as read-protected. 

From this time on, the memory modules 2, 3 which are connected to the microcomputer 
are known to the microcomputer ^iC via their ID. 

In^additipn,.ti[ie IDs of the memory modules stored in the microcomputer can also be used 

for encryption of data or programs. Thus, the data stored on the E^PROM can be encoded for 
example by a symmetrical encryption process in which the key comprises at least part of the ID 
of at least one of the memory modules 2, 3. In an engine control device the E^PROM can store 
for example learned values, production data, adaptation values and the like. Basically all 
symmetrical encryption processes which allow incorporation of an identifier which is specific to 
the control device are suited for encryption. Preferably the data of the E^PROM are encrypted by 
a key which m addition or as an alternative to the ID of the external memory modules comprises 
the ID of the microcomputer |iC. This effects encryption which is specific to the control device 
and which makes it impossible to replace the E^PROM or overwrite the data stored on it or 



- 1 1/12/04.- - 



|ffrr34AM0T 



g 



prevents operation of the control device after such manipulation. The key is preferably stored in 
the RAM of the microcomputer ^iC. In this way the key is generated each time the control device 
3AQts_up_with.theJacorpora^^ identifier which is specific t o the control device (for 

example the ID of the \iC and optionally the IDs of the memory modules) and thus the key is 
specific to the control device. 

Furthermore, the sub-code SC can be stored wholly or partially encrypted on the flash 
memory 2. For this encryption the ID of the individual memory modules or of the 
microcomputer or part of this ID can also be integrated into the key. The decryption of the data 
in the sub-code is effected by the master code. Since the latter is stored in a read-protected area 
of the microcomputer, read-out of the program and thus copying of the software can be 
prevented. 

Monitoring of the sub-code relative to manipulation which is ensured by the jiC m the 
master code can also take place by way of processes other than encryption. Thus, as an 
alternative or in addition, linear/CRC checksum formation or hash value formation may be used. 
To detect completed manipulation of the data and optionally parts of the sub-code, linear 
checksums are formed for example over selected areas and the result which is encrypted as a 
fingerprint is placed in the sub-code. The master code in control device operation, for example 
when there is a signal on the terminal 15, over the same predefined area computes the 
comparison value (for example, linear checksum) and checks it against the decrypted reference 
value which has been stored encrypted in the sub-code. The type of manipulation detection may 
be selected arbitrarily. 

After detecting manipulation, the master code initiates measures which may lead to 
control device failure. 
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FIG. 4 shows another embodiment of the control device as claimed in the invention. Li 
this embodhnent the memory modules 2 and 3 are integrated into the microcomputer ^iC. The ^iC 
here has an embedded flash memory, the E^PROM being emulated. This configuration of the 
control device does have the advantage that replacement of the memory modules can be reliably 
prevented, however, the data in the emulation of the E^PROM can be overwritten only block by 
block. 

The process for protection against manipulation takes place in this control device with an 
-mtemal-memory-essentially analogous to the one described in the foregoing for control devices 
with external memories. Here in particular the data of the emulated E^PROM can be stored 
encrypted and can be decrypted by a key which comprises at least an individual identifier of the 
control device, such as the ^ic-ID and/or the flash ID. Likewise the encrypted data or fingerprints 
contained in the sub-code which is stored in the flash memory of the may be decrypted by the 
master code. In this instance preferably an identifier which is specific to the control device is 
also mtegrated in the key. 

The invention is not limited to the described embodiments. Thus the identifier of the 
individual memory modules may be for example the date of manufacture of the control device. 
This may prevent manipulation during the warranty period. 

Furthermore it is for example also possible to store the code which is necessary for 
operation of the control device entirely in the read-protected OTP area of the ^iC instead of 
assembling it fi:om a master code and a sub-code. 

The control device for the purposes of this invention may constitute for example an 
engine control device, a transmission control device or a combination instrument. 
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A large number of advantages can be achieved compared to conventional control devices 
with the process as claimed in the invention and the control device as claimed in the invention. 

With.the.control device.as. claimed in the invention, replacementof one or niore modules 

can be reliably prevented since operation of the control device can be prevented by this 
replacement. It is not possible to read out a part of the program or data which is essential for 
operation of the control if this part is stored in a read-protected OTP area. Thus, copying of the 
software can be prevented. Access to confidential data via contact-making with the module is not 
possible either if they are stored in the read-protected OTP area of the \iC. The control device 
can be protected against manipulation especially reliably by its being able to run only in the 
combination of the master code and sub-code. Changing the sub-code which is stored in the 
reprogrammable, optionally extemal memory, for example the flash memory, without adapting 
the master code leads to control device failure. Furthermore, data, which are stored for example 
on an E PROM, can be encrypted in a manner specific to the control device. The decryption of 
these data can also be made dependent on the identifier of the control device. Additional security 
can be achieved by the encryption and decryption being made dependent on the combination of 
the individual modules with the IDs which are known to the ^C. 

In sununary it can therefore be stated that by storing an unalterable identifier of the 
memory modules of a control device, the manipulation of control devices, such as for example 
chip tuning in engine control devices, can be reliably prevented 
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